Merge "Add ssh key rotation to gitea ssh key management"

2023-11-29 23:53:18 +00:00 · 2023-11-29 23:53:18 +00:00 · 89909790b2
commit 89909790b2
parent 53f40e101e c843085a02
2 changed files with 59 additions and 17 deletions
--- a/inventory/service/group_vars/gitea.yaml
+++ b/inventory/service/group_vars/gitea.yaml
@ -1,5 +1,9 @@
 gitea_root_email: infra-root@openstack.org
-gitea_gerrit_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25
+# Gerrit replication key(s). When these values are identical only one key
+# is created in Gitea. When they are different two different keys are added.
+# This allows for key rotation.
+gitea_gerrit_public_key_A: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25
+gitea_gerrit_public_key_B: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25
 iptables_extra_public_tcp_ports:
  - 222
  - 3000
--- a/playbooks/roles/gitea/tasks/main.yaml
+++ b/playbooks/roles/gitea/tasks/main.yaml
@ -119,7 +119,7 @@
      send_notify: false
      source_id: 0
      username: gerrit
- name: Check if gerrit ssh key exists
+- name: List keys to determine which updates are necessary.
  uri:
    user: root
    password: "{{ gitea_root_password }}"
@ -129,19 +129,17 @@
    status_code: 200
  register: gerrit_key_check
  no_log: true
- name: Delete old gerrit ssh key
-  when: gerrit_key_check.json | length > 0 and gerrit_key_check.json[0].key != gitea_gerrit_public_key
-  no_log: true
-  uri:
-    user: root
-    password: "{{ gitea_root_password }}"
-    force_basic_auth: true
-    url: "https://localhost:3000/api/v1/user/keys/{{ gerrit_key_check.json[0].id }}"
-    validate_certs: false
-    method: DELETE
-    status_code: 204
- name: Add gerrit ssh key
-  when: gerrit_key_check.json | length == 0
+# We want to allow for multiple keys in order to do key rotations.
+# Check if both keys are present. If a key is not present then add it
+# to Gitea. Keep in mind the two keys may be the same in which case
+# we can skip the second key creation. Finally clean up any keys
+# that don't match the two keys. This allows us to do key rotations.
+- name: Determine if key A and key B are already present
+  set_fact:
+    key_A_present: "{{ gerrit_key_check.json | selectattr('key', 'equalto', gitea_gerrit_public_key_A ) | list | length > 0 }}"
+    key_B_present: "{{ gerrit_key_check.json | selectattr('key', 'equalto', gitea_gerrit_public_key_B ) | list | length > 0 }}"
+- name: Add gerrit ssh key A
+  when: not key_A_present
  no_log: true
  uri:
    user: root
@ -153,9 +151,49 @@
    status_code: 201
    body_format: json
    body:
-      key: "{{ gitea_gerrit_public_key }}"
+      key: "{{ gitea_gerrit_public_key_A }}"
      read_only: false
-      title: "Gerrit replication key"
+      title: "Gerrit replication key A"
+- name: Add gerrit ssh key B
+  when: not key_B_present and gitea_gerrit_public_key_A != gitea_gerrit_public_key_B
+  no_log: true
+  uri:
+    user: root
+    password: "{{ gitea_root_password }}"
+    force_basic_auth: true
+    url: "https://localhost:3000/api/v1/admin/users/gerrit/keys"
+    validate_certs: false
+    method: POST
+    status_code: 201
+    body_format: json
+    body:
+      key: "{{ gitea_gerrit_public_key_B }}"
+      read_only: false
+      title: "Gerrit replication key B"
+- name: List keys again to ensure key ids are correct for deletion.
+  uri:
+    user: root
+    password: "{{ gitea_root_password }}"
+    force_basic_auth: true
+    url: "https://localhost:3000/api/v1/users/gerrit/keys"
+    validate_certs: false
+    status_code: 200
+  register: gerrit_key_check
+  no_log: true
+- name: Delete old gerrit ssh keys
+  when: existing_pubkey.key != gitea_gerrit_public_key_A and existing_pubkey.key != gitea_gerrit_public_key_B
+  no_log: true
+  uri:
+    user: root
+    password: "{{ gitea_root_password }}"
+    force_basic_auth: true
+    url: "https://localhost:3000/api/v1/user/keys/{{ existing_pubkey.id }}"
+    validate_certs: false
+    method: DELETE
+    status_code: 204
+  loop: "{{ gerrit_key_check.json }}"
+  loop_control:
+    loop_var: existing_pubkey
 - name: Set up cron job to pack git refs
  cron:
    name: pack-git-refs